Coinhive Hacked and Launches New Opt-In Service

On October 23rd the JavaScript Monero mining service Coinhive had their Cloudflare account hacked. The hacker changed the DNS records on Coinhive’s Cloudflare account and were able to hijack all Coinhive accounts by getting thousands of sites to load a modified version of the coinhive.min.js script. This modified script forced thousands of sites that run Coinhive’s miner to begin mining Monero for the hacker. The hacker was able to steal the hashes from Coinhive users. Someone representing the Coinhive service told the website BleepingComputer that the hacker only had access to Coinhive’s Cloudflare account for approximately six hours.

The hacker was likely able to access Coinhive’s Cloudflare account due to the account’s password being leaked during the Kickstarter data breach that occurred in 2014. While the passwords that were leaked during the Kickstarter data breach were encrypted, an attacker could decrypt the passwords if they were weak passwords. This means it is likely that Coinhive was using weak passwords for multiple accounts.

According to a blog post on Coinhive’s website, no user account information was breached and Coinhive’s web servers and database servers were not accessed during the hack. “The root cause for this incident was an insecure password for the Cloudflare account that was probably leaked with the Kickstarter data breach back in 2014. We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old Cloudflare account. We’re deeply sorry about this severe oversight,” Coinhive stated on a post made on the site’s blog. Coinhive has pledged to reimburse sites for the theft. Among Coinhive’s plans to reimburse sites is a plan to credit all users with an additional half day of their average daily hashrate.

The Pirate Bay, one of the world’s largest torrenting sites, recently deployed Coinhive’s JavaScript Monero miner, but the site went on to switch to one of Coinhive’s competitors, Crypto-Loot. It appears The Pirate Bay may have since removed all cryptocurrency miners from its site, but many other sites followed the example set by The Pirate Bay. Since the debut of Crypto-Loot, there have been a series of other competitors that have popped up. Another JavaScript Monero miner that has been released is Coin-Have. A Chinese JavaScript Monero miner has also recently launched, called PPoi. Another similar service which recently launched is called MineMyTraffic, however, their site appears to be down as of the writing of this article. Microsoft’s Malware Protection Center recently tweeted that it had discovered more cryptocurrency miner scripts, one called CoinBlind and one called CoinNebula.

While most of the new JavaScript mining services focus on mining the privacy focused Monero cryptocurrency, a new JavaScript mining service has launched which aims to mine a new cryptocurrency that is designed to be mined inside of web browsers. This new coin is called JSECoin and is designed around the concept of web mining. JSECoin advertises itself as being more environmentally friendly than cryptocurrencies such as Bitcoin. The coin’s web site states that JSECoin transactions have no fees.

Coinhive’s Monero mining service is now becoming a plugin for WordPress sites. Over four different plugins have been created to allow WordPress users to incorporate the mining script into their site. One plugin, WP Monero Miner with Coin Hive, was removed from the WordPress repo. The JavaScript Monero miners are also frequently showing up on hacked websites such as the cable television network Showtime’s web site and the airline AirAsia’s website. While many of these JavaScript cryptocurrency miners do not alert users that mining has started or provide a way for users to opt in or opt out, Coinhive is taking steps to change that. Coinhive has recently released a widget which allows a web site’s users to start and stop the mining process. The widget also allows users to see their hashing rate. In addition to the widget, Coinhive has launched AuthedMine, which specifically requires users to opti-in before mining can begin. Coinhive is begging for ad blockers and antivirus makers to not block the AuthedMine web site.